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Abstract 

According to actual needs, generalized signcryption scheme can flexibly work 
as an encryption scheme, a signature scheme or a signcryption scheme. In 
this paper, firstly, we give a security model for identity based generalized 
signcryption which is more complete than existing model. Secondly, we pro- 
pose an identity based generalized signcryption scheme. Thirdly, we give 
the security proof of the new scheme in this complete model. Comparing 
with existing identity based generalized signcryption, the new scheme has 
less implementation complexity. Moreover, the new scheme has comparable 
computation complexity with the existing normal signcryption schemes. 

Keywords: Generalized signcryption. Signature, Encryption, Bilinear 
pairing. Identity based cryptography 

1. Introduction 

Encryption and signature are fundamental tools of Public Key Cryptog- 
raphy for confidentiality and authenticity respectively. Traditionally, these 
two main building-blocks have been considered as independent entities. How- 
ever, these two basic cryptographic techniques may be combined together 
in various ways, such as sign-then-encrypt and encrypt-then-sign, in many 
applications to ensure privacy and authenticity simultaneously. To enhance 



efficiency, Zheng [17[ proposed a novel conception named signcryption, which 
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can fulfill both the functions of signature and encryption in a logical step. 
Comparing with the traditional methods, signcryption has less computation 
complexity, less communication complexity and less implementation com- 
plexity. Just because signcryption scheme has so many advantages and ex- 
tensive apphcation prospective jinany public key based signcryption schemes 
have been proposed [3, 



Identity-based cryptography was introduced by Shamir [15| in 1984, in 
which the public keys of users are respectively their identities and the secret 
keys of users are created by a credit third party named Public Key Generator 
(PKG). In this way, the identity-based cryptography greatly reheves the bur- 
den of public key management and provides a more convenient alternative to 
conventional public key infrastructure. In 15|], Shamir proposed an identity 
based signature scheme but for many years there wasn't an identity based 
encryption scheme. Until 2001, Boneh and Franklin[l| using bilinear pairing 
gave a practical secure identity based encryption scheme. The first identity 



based signcryption scheme was proposed by Malone-Lee [13| along with a 
security model. Since then, many identity based signcryption schemes are 
proposed HiHB- 

Signcryption has considered these application environments that need 
simultaneous message privacy and data integrity. However, in some applica- 
tions, these two properties are not essential. That is, sometimes only mes- 
sage confidentiality is needed or sometimes only authenticity is needed. In 
this case, in order to ensure privacy or authenticity separately, signcryption 
must preserve sign module or encryption module, which must increase the 
corresponding computation complexity and implementation complexity. To 
decrease implementation complexity, Han et al. ^ proposed a new primitive 
called generalized signcryption, which can work as an encryption scheme, a 
signature scheme or a signcryption scheme, and gave an generalized sign- 



cryption based on ECDSA. Wang et al. [16j gave the formal security notions 
for this new primitive and improved the original generalized signcryption 
proposed by Han et al. j^. In 16|, Wang et al. pointed out some open 



problems. One of theses problems is to enhance efficiency. Another of theses 
problems is to design identity based generalized signcryption scheme. 



Lai et al. [11[ gave an identity based generalized signcryption scheme 
(IDGSC). However, after much study, we find his security model is not com- 
plete. And his scheme is not secure under the complete security model for 
IDGSC. In this paper, our main works include three aspects. Firstly, in the 
second section, we give the definition of IDGSC and the security model for 
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IDGSC. Secondly, in Section 3, we propose an efficient IDGSC. Thirdly, in 
Section 4, we give the efficiency analysis and security results. 

2. IDGSC and Its Security Notions 

2.1. Definition of IDGSC 

Firstly, we will review the algorithm constitution of identity based en- 
cryption (IDEC), identity based signature (IDSG) and identity based sign- 
cryption (IDSC). Then, we will introduce the algorithms that consist of an 
identity based generalized signcryption (IDGSC). 
Definition 1. A normal identity based encryption scheme 

IDEC = {Setup, Extract, Encrypt, Decrypt) 

consists of four algorithms. 

Setup: This is the system initialization algorithm. On input of the security 
parameter 1^, this algorithm generates the system parameters params and 
the PKG generates his master key s and pubhc key Ppub- The global pub- 
lic parameters include params and Ppub- We write {{params, Ppub), s) •<— 
Setup{l''). 

Extract: This is the user key generation algorithm. Given some user's 
identity ID, PKG uses it to produce a pair of corresponding public/private 
keys. We write {Sid^Qid) •<— Extract{ID,s). 

Encrypt: It takes as input a receiver's identity ID^ and a message m, using 
the public parameters {params, Ppuh), outputs a ciphertext e. We write 

e ^ Encrypt{IDr,m). 

Decrypt: It takes as input a receiver's private key Sr and a ciphertext e, 
using the public parameters {params, Ppub), outputs a message m or the 
invalid symbol ±. We write m •<— Decrypt{Sr, s). 
Definition 2. A normal identity based signature scheme 

IDSG — {Setup, Extract, Sign, Verify) 

consists of four algorithms. 

Setup: It is the same as the corresponding Setup algorithm in Definition 1. 
Extract: It is the same as the Extract algorithm in Definition 1. 
Sign: This algorithm takes as input a signer's private key Sg and a message 
m, using the public parameters {params, Pp^b), outputs a signature a. We 
write a ■<— Sign{Ss, m). 
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Verify: This algorithm takes as input the signer's pubUc key Qg, a message 
m and the corresponding signature a, and outputs the vahd symbol T or the 
invalid symbol ±. We write (Tor±) Verify{Qs,m,a). 
Definition 3. A normal identity based signcryption scheme 

I DSC = {Setup, Extract, Signcrypt,Unsigncrypt) 

consists of four algorithms. 

Setup: It is the same as the corresponding Setup algorithm in Definition 1. 
Extract: It is the same as the Extract algorithm in Definition 1. 
Signcrypt: This algorithm takes as input the sender's private key Ss, the 
receiver's public key Qr and a message m, using the public parameters 
{params, Ppub), outputs a ciphertext 5. We write S SC{Ss,Qr-iiTi)- 
Unsigncrypt: This algorithm takes as input the sender's public key Qs, 
the receiver's secret key S*,. and a ciphertext 6, using the public parameters 
{params, Ppub), outputs a message m or the invalid symbol ±. We write 
m ^ UC{Qs,Sr,S). 

Generalized signcryption scheme can work as encryption scheme, sig- 
nature scheme and signcryption scheme according to different needs. Let 
IDSG = {Setup, Extract, Sign, Verify), I DEC = {Setup, Extract, Encryp 
t. Decrypt) and I DSC = {Setup, Extract, Signcrypt, Unsigncrypt) respec- 
tively be an identity based signature scheme, encryption scheme and sign- 
cryption scheme. 

Definition 4. An identity based generalized signcryption scheme IDGSC — 
{Setup, Extract, CSC, G'[/C)consists of following four algorithms: 
Setup: It is the same as the corresponding Setup algorithm in Definition 1. 
Extract: It is the same as the Extract algorithm in Definition 1. 
GSC: for a message m, 

-When ID, e = 0), e ^ GSC{<^,Qr,m) = Encrypt{Qr,m). 

-When IDr G = 0),a^ GSC{Ss,^,m) = Sign{Ss,m). 

-When IDs i IDr ^ 5 ^ GSC{Ss, Q., m) = SC{Ss, Qr, m). 
GUC: to unsigncryt a ciphertext 5, 

-When IDs e $(/£>s = 0), m ^ GUC{^, Qr, e) = Decrypt{Qr, e). 
-When IDr e = 0), (T, ±) ^ GUC{Ss, $, a) = Verify{Ss, a). 

-When IDs i IDr ^ m ^ GUC{Qs, Sr, 6) = UC{Qs, Sr, 6). 

2.2. Security models for IDGSC 

In our security model, there are seven types of queries that the adver- 
sary A may inquire the challenger C for answers. In the following text. 
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''Alice{Textl} Bob, and then Bob{Text2} Alice'' denotes that Ahce 
submits Tcxtl to Bob, and then Bob responds with Text2 to Ahce. 
Extract query: A{ID} — )■ C, and then C{Sid = Extract{ID)} — ?■ A 
Sign query: A{IDs,m} — )■ C, and then C{a = Sign{Ss,m)} — )■ A 
Verify query: A{IDs, a} C, and then C{(T or ±) = Verify{Qs, a)} ^ A 
Encrypt query: A{IDr,'m} — )■ C, and then C{£ — Encrypt{Qr,m)} — )■ A 
Decrypt query: A{IDr,e} — ?> C, and then C{m = Decrypt{Sr,£)} A 
GSC query: A{IDs, IDr, m} C, and then C{6 = GSC{Ss, Qr, m)} ^ A 
GUC query: A{IDs, IDr, 5} C, and then C{m = GUC{Q„ Sr, 6)} A 

The generahzed signcryption can work in three modes: in signature mode, 
in encryption mode and in signcryption mode, denoted IDGSC-IN-SG, IDGSC- 
IN-EN and IDGSC-IN-SC respectively. Firstly, we define the confidentiality 
of IDGSC-IN-EN (Def. 5) and IDGSC-IN-SC (Def. 6) separately. 
Definition 5. IND-(IDGSC-IN-EN)-CCA Security 

Consider the following game played by a challenger C and an adversary 

A. 

Game 1 

Initialize. Challenger C runs Setup{l^) and sends the public parameters 
{params, Ppub) to the adversary A. C keeps master key s secret. 
Phase 1. In Phase 1, A performs a polynomially bounded number of above 
seven types of queries. These queries made by A are adaptive; that is every 
query may depend on the answers to previous queries. 

Challenge. The adversary A chooses two identities ID a = 0, IDs 7^ and 
two messages mo, mi. Here, the adversary A cannot have asked Extract query 
on IDb in Phase 1. The challenger C flips a fair binary coin 7, encrypts m-y 
and then sends the target ciphertext £* to ^4. 

Phase 2. In this phase, A asks again a polynomially bounded number of 
above queries just with a natural restriction that he cannot make Extract 
queries on IDb, and he cannot ask Decrypt query on target ciphertext e*. 
Guess. Finally, A produces his guess 7 on 7, and wins the game if 7 =7. 

A's advantage of winning Game 1 is deflned to be Adv''^^Jff^^„_^„{t,p) — 
|2P[7' = 7] — 1|. We say that identity based generalized signcryption in 
encryption mode is IND-(IDGSC-IN-EN)-CCA secure if no polynomially 
bounded adversary A has a non- negligible advantage in Game 1. 
Definition 6. IND-(IDGSC-IN-SC)-CCA Security 

Consider the following game played by a challenger C and an adversary 

A. 
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Game 2 

Initialize, and Phase 1. 

Challenger C and adversary A act the same as what they do in the cor- 
responding stage in Game 1. 

Challenge. The adversary A chooses two identities IDa 7^ 0,IDb 7^ and 
two messages mo, mi. Here, the adversary A cannot have asked Extract query 
on IDb in Phase 1. The challenger C flips a fair binary coin 7, signcrypts 

and then sends the target ciphertext 6* to A. 
Phase 2. In this phase, A asks a polynomially bounded number of above 
queries just with a natural restriction that he cannot make Extract queries 
on /-Dfi, and he cannot ask Unsigncrypt query on target ciphertext 5*. 
Guess. Finally, A produces his guess 7 on 7, and wins the game if 7 =7. 

A's advantage of winning Game 1 is defined to heAdv^^ig^c-in-scitiP) = 
|2P[7' = 7] — 1|. We say that identity based generalized signcryption in 
signcryption mode is IND-(IDGSC-IN-SC)-CCA secure if no polynomially 
bounded adversary A has a non-negligible advantage in Game 2. 

Note 1. The differences between Def. 5 and Def. 6 deserve to be men- 
tioned. Firstly, in Phase 2 of Def. 5, the adversary is prohibited from making 
Decrypt query on the challenge ciphertext. However, he can transform the 
challenge ciphertext into some valid signcryption ciphertext and make Un- 
signcrypt query on the corresponding signcryption ciphertext. Secondly, the 
adversary is restricted not to make Unsigncrypt query on the challenge ci- 
phertext in Phase 2 of Def. 6. But, he can transform the challenge ciphertext 
into some valid encryption ciphertext and make Decrypt query on the cor- 
responding encryption ciphertext. Such differences are not considered in the 



security model proposed by S. Lai et al. [Ill . 

Secondly, we define the unforgeability of IDGSC-IN-SG (Def. 7) and IDGSC- 
IN-SC (Def.8) separately. 

Definition 7. EF-(IDGSC-IN-SG)-ACMA Security 

Consider the following game played by a challenger C and an adversary 

A. 

Game 3 

Initialize. Challenger C runs Setup{l^) and sends the public parameters 
{params, Ppub) to the adversary A. C keeps the master key s secret. 
Probe. In this phase, A performs a polynomially bounded number of above 
seven kinds of queries. 

Forge. Finally, A produces two identities ID^, IDs, where IDs = 0, and 
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a ciphertext a* = {X* ,m* ,V*). The adversary wins the game if: ID^ ^ 0; 
Verifyijn* ,IDa,{X* ,V*)) = T; no Extraction query was made on IDa', 
(X*, V*) was not result from Sign{m*) query with signer IDa- 

We define the advantage of A to be adv'^J^i^g^J^^^,„^g(t,p) = PT[Awins]. We 
say that an identity based generahzed signcryption in signature mode is EF- 
(IDGSC-IN-SG)-ACMA secure if no polynomially bounded adversary has a 
non-neghgible advantage in Game 3. 
Definition 8. EF-(IDGSC-IN-SC)-ACMA Security 

Consider the following game played by a challenger C and an adversary 

A. 

Game 4 

Initialize. Challenger C runs Setup{l^) and sends the public parameters 
{params, Ppub) to the adversary A. C keeps the master key s secret. 
Probe. In this phase, A performs a polynomially bounded number of above 
seven kinds of queries. 

Forge. Finally, A produces two identities IDa, IDs, and a ciphertext a* = 
{X*, C*,V*). Let m* be the result of unsigncrypting 6* under the secret key 
corresponding to JD^.The adversary wins the game if: IDa 7^ 0; IDa 7^ 
IDb] Verify{m*,IDA,{X*,V*)) = T; no Extraction query was made on 
IDa', {S* , IDa, IDb) wasn't outputs by a Signcrypt query. 

We define the advantage of A to be Adv^Ji^^fJ!!'^„^^{t.,p) = FT[Awins]. 
We say that an identity based signcryption in signcryption mode is EF- 
(IDGSC-IN-SC)-ACMA secure if no polynomially bounded adversary has a 
non-negligible advantage in Game 4. 

Note 2. The differences between Def. 7 and Def. 8 also need to be 
noticed. In Def. 7, the forged signature is not obtained from the Sign query. 
But it can be transformed from some valid signcryption ciphertext that is 
gotten from Signcrypt query. In contrast, in Def. 8, the forged signcryption 
cipherxt is not the output of Signcrypt query. But it can be transformed 
from some answer of the Sign query. Such differences are not considered in 
the security model proposed by S. Lai et al. [11]. Consequently, in S. Lai 
et al. [iH's scheme, adversary can easily forge a valid signature through a 
correspondingly Signcrypt query and Unsigncrypt query. 
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3. Our Scheme 



3.1. Description of our scheme 

Before describing our scheme we need to define a special function f{ID), 
where ID e {0, If identity is vacant, that is ID e let ID = 0, 

f{ID) — 0; in other cases, f{ID) — 0. The concrete algorithms of our 

scheme are described as follows. 

Setup: Given the security parameter 1^, this algorithm outputs: two cycle 
groups (Gi, +) and (G2, •) of prime order q, a generator P of Gi, a bilinear 
map e : Gi X Gi — > G2 between Gi and G2, four hash functions: 

Ho : {0, 1}"^ -^Gl; //i : G2 -> {0, l}"^ x {Q, x GJ ; 

H2 : {0, X {0, X {0, ^ Z* ; H3 : {0, l}"^ x Gi ^ Z* . 
Where ni and n2 respectively denote the bit length of user's identity and 
the message. Here Hq, Hi needs to satisfy an additional property: Hq{0) = 
1?, ifi(l) = 0, where i? denotes the infinite element in group Gi.The sys- 
tem parameters are params = {Gi, G2, q, ni, n2- e, P- Hq, Hi, H2, H^}. Then, 
PKG chooses s randomly from Z* as his master key, and computes Ppub = 
sP as his public key The global public parameters are {params, Ppub) = 
{Gi, G2, q, ni, n2, e, P, Ppub, Hq, Hi, H2, H3}. 

Extract: each user in the system with identity IDu, his pubhc key Qu — 
Hq{IDij) is a simple transform from his identity. Then PKG computes pri- 
vate key Su = sQu for IDu- 

Generalized Signcryption: Suppose Alice with identity ID a wants to 
send message m to Bob whose identity is IDs, he does as following: 

- Computes /{IDa) and /{IDb). 

- Selects r uniformly from Z*, and computes X = rP. 

- Computes /i2 = H2{m\\IDA\\IDB) and = H3{m\\X). 

- Computes V = r-\h2P + /{ID a) ■ h ■ Sa)- 

- Computes Qb = Ho{IDb) and w = e{Pp^b, QbY'^^''^''^ ■ 

- Computes hi — Hi{w) and y — m\\IDA\\V ® hi. 

- Sends (X, y) to Bob. 

Generalized Unsigncryption: After receiving [X,y): 

- Computes /{IDb). 

- Computes w = e(X, ^s)^^'^^^), hi = Hi{w), m\\IDA\\V = y ® hi. 

- Computes /i2 — H2{'m\\I D a\\I D b) and h^ — H2,{m\\X). 

- Checks that e{X,V) = e{P,Pf^ ■ e{Ppuh,QAf^'^^^^^\ if not, returns±. 
Else, returns m. 
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3.2. Correctness 

There are three cases to be considered. 
Case 1. IDGSC-IN-SC 

In this case, there is I Da, IDb^^ (That is I Da, IDb 7^ 0), so /{IDa) = 
/{IDb) = 1 and the scheme is actually a signcryption scheme. It is easy to 
verify that: 

w = e{Ppub, QbY = e(X, Sb); 

eiX, V) = e{rP, r-^h^P + h ■ Sa) = e(P, P)"^ ■ e{Pp^h, QaY'] 
UC{IDa, IDb, SC{IDa, IDb, m)) = m. 
So our scheme in signcryption mode is correct. 
Case 2. IDGSC-IN-SG 

In this case, there is ID a ^ IDb G ^ (That is ID a ^ 0, IDb = 0.), so 
/{IDa) = l,f{IDB) = 0. The generalized signcryption scheme in signature 
mode is as follows: 
Sign: 

- Selects r uniformly from Z*, and computes X = rP. 

- Computes /12 = -f^2('^| l-^-D^I |0) and h-s = H3{m\\X). 

- Computes V = r-\h2P + /(IDa) ■ h ■ Sa) = r-\h2P + h ■ Sa). 

- Computes Qb = Ho{0) = ^ and w = e{Ppub,^)^'^^^^''^ = 1- 

- Computes hi = IIi{w) = Hi{l) = and y = m\\IDA\\V © = m\\IDA\\V. 

- Outputs the signature(X, m| l/D^I |V^). 
Verify: 

- Computes ^2 = -f^2('^| |0) and = H^^raWX). 

- Checks that e(X, V) = e(P, P)^^ ■ e{Ppub, Qa)^'', if not, returns^. 

In fact, the reduced signature scheme is the signature scheme, denoted 
PSG, proposed by Paterson fl^ . 
Case 3. IDGSC-IN-EN 

In this case, there is ID a G $, IDp ^ $ (That is ID a = 0, IDb ^ 0.), so 
f{ID a) = 0, /{IDb) = 1. The generalized signcryption scheme in encryption 
mode is as follows: 
Encrypt: 

- Selects r uniformly from Z*, and computes X = rP. 

- Computes h2 = i^2("^| |0| |/-Ds) and = H^^mWX). 

- Computes V = r-^j/iaP + /{IDa) ■ h ■ Sa) = r-^/iaP- 

- Computes Qb = IIq{IDb) and w = e{Ppub, Q b)'' ■ 

- Computes hi = IIi{w) and |/ = m| |0| © /ii. 

- Sends (X, y) to Bob. 
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Decrypt: 

- Computes f^IDs)- 

- Computes w = e(X, Sb)-^^^^^) = e(X, Sb) and h = Hi{w). 

- Computes m\\0\\V = y (B hi. 

- Computes h2 = H2{'m\\0\\IDB) and = if3(m||X). 

- Checks that e{X,V) = e{P,P)^^. if not, returns_L. Else, returns m. 

Actually, the reduced encryption scheme is combination of the basic en- 
cryption scheme, denoted BFE, proposed by Boneh and Franklin [l| and a 
one-time signature scheme. 

4. Efficiency Analysis and Security Results 

4-1- Efficiency Analysis 

The main purpose of generalized signcryption is to reduce implementa- 
tion complexity. According to different application environments, generalized 
signcryption can fulfill the function of signature, encryption or signcryption 
respectively. However, the computation complexity may increase comparing 
with normal signcryption scheme. Such as, jo], [l6[, these schemes all need 
an additional secure MAC function which not only increase the computation 
complexity but also the implementation complexity. Fortunately, this ad- 
ditional requirements are not needed in our scheme. Moreover, our scheme 
is as efficient as j^, which is the most efficient identity based signcryption 
scheme. In Table 1 below we compare the computation complexity of our 
scheme, denoted NIDGSC, with several famous signcryption schemes. We 
use mul., exps. and cps. as abbreviations for multiplications, exponentia- 
tions and computations respectively. Here, the computations that can be 
pre-calculated will be denoted by (+?). 
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;n/En crypt 


Decrypt /Verify 
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mul. 
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e 


mul. 
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in Gi 
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3 





o(+i) 





1 
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0(+2) 
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3 


1 


o(+i) 


2 





3(+l) 


m 


2 
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1 





4 


[5J 


3 





o(+i) 


1 





3 




5 





o(+i) 


1 





3(+l) 


NIDGSC 


3 


1 


o(+i) 





2 


2(+2) 
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Table 1. Comparasion between the dominant operations required for IDGSC 
and other schemes 



4-2. Security Results 

In this section we will state the security results for our scheme under the 
security model defined in Section 2.2. Our results are all in the random oracle 
model. In each of the results below we assume that the adversary makes 
queries to Hi for i = 0,1, 2, 3. Qs and g„ denote the number of Signcrypt and 
Unsigncrypt queries made by the adversary respectively, and n4 denote 
the bit length of an element in group Gi and G2 respectively. 

Theorem 1. If there is an EF-ACMA adversary A of NIDGSC in 
signature- mode that succeeds with advantage adv^Ji^^^'^^°^_^g{t,p) , then there 
is a simulator C that can forge valid signature of PSG with advantage 

When NIDGSC works as a signature scheme, it is actually the signa- 
ture scheme, PSG, proposed by Paterson [ij]. The PSG scheme itself is 
EF-ACMA secure. Considering Signcrypt /Unsigncrypt query that is absent 
in normal signature scheme, these queries are useless to the adversary of 
NIDGSC-IN-SG. Because the identities of sender and receiver are included 
in the signature. There are two ways to modify these values. First, the adver- 
sary must to find a special Hash collision. Second, the adversary succeeds in 
solving the ECDLP Q problem. In such cases, the adversary has negligible 
advantage to modify these values. So an EF-ACMA adversary can attack 
PSG scheme if he can attack NIDGSC in signature mode. 

Theorem 2. Let Adv'^f,-TLenit,p) = ^ be advantage of an IND-CCA2 
adversary A of NIDGSC in encrypt ion- mode, then ^ is polynomial time neg- 
ligible. 

When NIDGSC works as an encryption scheme, it is actually the com- 
bination of the basic identity based encryption scheme proposed by [l| and 
a one-time signature scheme. Owing to the theorem proposed by Canetti 
et al. [3], this combined encryption scheme is secure against normal adaptive 
chosen-ciphertext attack. Considering Signcrypt /Unsigncrypt query, the ad- 
versary can not transform the target encryption ciphertext into a valid sign- 
cryption ciphertext. This conclusion is based on the EF-ACMA security of 
PSG. So NIDGSC in encryption mode is IND-CCA2 secure. 

Theorem 3. If A can forge valid signcryption ciphertext of NIDGSC in 
signcrypt ion- mode successfully with advantage Adv'^JiJg"^Z^^^^(t,p), then there 
is a simulator C that can forge valid signature of PSG with advantage ^: 
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e > Adv'JZTLc{t,p) + {qi ■ qs)/2^' + g«/(2"^ ■ 2«i ■ 2-3). 

The corresponding proofs are given in Appendix A. 

Theorem 4. If there is an IND-IBSC-CCA2 adversary A of NIDGSC 
in signcryption-mode that succeeds with advantage Adv^^^~ff^^„_^^{t,p), then 
there is a challenger C running in polynomial time that solves the weak 
BCDH problem with advantage ^: 

e > Adv%-TL,Xt,p)/{q^-qi)- 

The definition of weak BCDH problem and corresponding proofs are given 
in Appendix B. 

5. Conclusions 

In this paper, we define the security model for IDGSC and propose an 
efficient IDGSC which is proved secure under this security model. Compar- 
ing with existing generalized signcryption schemes, our scheme doesn't need 
an extra secure MAC function. So it has less implementation complexity. 
What's more, it is almost as efficient as the normal signcryption scheme. 

An interesting open question is to design a non-ID based (public key 
or Certificateless) generalized signcryption scheme that does not need an 
additional MAC function. 

Acknowledgement 

This work is supported by 863 Project of China (No. 2009AA01Z417). 
The authors would like to thanks the anonymous referees for their helpful 
comments. 

References 

[1] D.Boneh, M. Franklin, Identity Based Encryption Prom the Weil Pairing. 
Advances in Cryptology- Crypto'Ol, LNCS 2139 Springer, 2001 

[2] F.Bao, R.H.Deng, A signcryption scheme with signature directly veri- 
fiable by public key, in: Proceeding of PKC'98 LNCS 1431, Springer- 
Verlag, 1998,pp.55-59 

[3] X.Boyen, Multipurpose Identity-Based Signcryption: A Swiss army 
knife for identity-based cryptography, in: D.Boneh ed. Advances in 
Cryptology-CRYPTO 2003, Lecture Notes in Computer Science, 2729. 
Berhn: Springer- Verlag, 2003, 383-399 



12 



[4] R.Canetti, S.Halevi, J.Katz, Chosen-ciphertext security from identity- 
based encryption. In Advances in Cryptology-EUROCRYPT 2004, vol- 
ume 3027 of LNCS, pages 207-22.Springer-Verlag, 2004 

[5] L.Chen, Malone-Lee, Improved Identity-Based Signcryption. In: Vaude- 
nay S.ed. Public Key Cryptography-PKC2005, Lecture Notes in Com- 
puter Science 3386 Berlin: Springer- Verlag, 2005, 362-379 

[6] Certicom Research, Standards for efficient cryptography, SEC 1: elUptic 
curve cryptography. Standards for efficient cryptography group (SECG), 
September 20, 2000 

[7] S.S.M.Chow, S.M.Yiu, L.C.K.Hui, K.P.Chow, Efficient forward and 
provably secure ID-bascd signcryption scheme with pubhc verifiabihty 
and public ciphertext authenticity. In: Lim J.I., Lee D.H. eds.. Infor- 
mation Security and Cryptology-ICISC'03, Lecture Notes in Computer 
Science 2971. Berlin: Springer- Verlag, 2004, 352-369 

[8] R.Hwang, C.Lai, F.Su, An efficient signcryption scheme with forward 
secrecy based on elliptic curve. Applied Mathematics and computation. 
167(2005), Page: 870-881 

[9] Y.Han, X.Yang, New ECDSA- Verifiable Generalized Signcryption. Chi- 
nese Journal of Computer, NO. 11., Page: 2003-2012, 2006 

[10] H.Y.Jung, K.S.Chang,D. H.Lee, J. I. Lim, Signcryption schemes with for- 
ward secrecy, proceesing of WISA 2(2001)403-233 

[11] S.Lai, P.Kushwah, ID based generalized signcryption, Cryptology Eprint 
Archive, 2008/084 

[12] B.Libert, J.Quisquater, A New Identity Based Signcryption Schemes 
from Pairings. In: Proceeding of the 2003 IEEE Information Theory W 
orkshop, Paris, France, 2003,155 -158 

[13] Malone-Lee, Identity Based Signcryption. Cryptology ePrint Archive, 
Report 2002/098 

[14] K.G.Paterson, ID-based signatures from pairings on ellptic curves. Elec- 
troniics Letters, 2002, 38(18): 1025-1026 



13 



[15] A.Shamir, Identity-based Cryptosystems and Signature Schemes. In: 
Blakley G.R., Chaum D. eds. Advances in Cryptology-CRYPTO'84, Lec- 
ture Notes in Computer Science 196. Berlin: Springer- Verlag, 1984, 47- 
53 

[16] X.Wang, X.Yang, Y.Han, Provable secure generalized signcryption. 
Cryptology Eprint Archive, 2007/173 

[17] Y.Zheng, Digital signcryption or How to Achieve Cost (Signature 
Encryption) < Cost (Signature) + Cost (Encryption). CRYPTO'97 
LNCS1294, Berlin: Springer- Verlag, 1997, 165-179 

[18] Y.Zheng, H.Imai, How to construct efficient signcryption schemes on 
elliptic curves. Information Processing Letters, Vol. 68, NO. 5, Sep., 
Page: 227-233, 1998 



Appendix A. Proof of Theorem 3 

We will reduce the attack to EF-ACMA of NIDGSC to EF-ACMA of 



PSG proposed by Paterson [IJ]. Hence, we define two experiment Exp 1 
and Exp 2. In each experiment, the private and public key and the Random 
Oracle's coin flipping space are not changed. The difference between Exp 1 
and Exp 2 comes from rules of oracle service that challenger provides for the 
adversary. 
Exp 1 

In this experiment, we use the standard technique to simulate Hash func- 
tions used in our scheme. It is well-known that no adversary can distinguish 
between this environment and the real environment in polynomially bounded 
time. Let 5*0 denote the event that EF-ACMA adversary can attack NIDGSC 
successfully in Exp 1. 

Challenger C needs to keep four lists Lj,i = 0,1,2,3 which are vacant 
at the very beginning. These lists are used to record answers to the corre- 
sponding Hash Hi, i = 0, 1, 2, 3 query. 

Setup. At the beginning, challenger C runs the algorithm Setup{l^) and 
acts as PKG. That is, he generates the global public system parameters 
{params, Ppub) and the master private key s. Then, he sends {params, Ppub) 
to the adversary A. 

Probe. We now describe how the challenger simulates various queries. 
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Simulator: Hq{IDu) 

- If the record {IDjj, Qu, Su) is found in Lq, tlien returns Qu. 

- Else chooses Qu randomly from Gl; computes Su = sQu', stores {IDu, Qu, 
Su) in Lq and returns Qu- 

Simulator: Hi{w) 

- Searches (w, hi) in the list L^. If such a pair is found, returns hi. 

- Otherwise chooses hi randomly from {0, l}'^^ x {0, 1}^^ x G\, and puts 
(w, hi) into Li and returns hi. 

Simulator: H2{m\\IDA\\IDB) 

- Searches (m| l-^-Ds, /12) in List L2. If such a pair is found, returns /i2- 

- Otherwise chooses /i2 randomly from Z*, and puts {'m\\IDA\\IDB,h2) into 
L2 and returns h2. 

Simulator: H3{m\\X) 

- Searches (m||X, h^) in the list L3. If such a pair is found, returns h^. 

- Otherwise chooses randomly from Z*, and puts h2) into L3 and 
returns h^. 

Simulator: Extract{IDu) 

We assume that A makes the query Hq{IDu) before it makes extract 
query for IDu. 

- Searches Lq for the entry {IDu, Qu, Su) corresponding to IDu, and re- 
sponds with Su- 

Simulator: Sign{IDA,m), Verify{IDB,CT) 

The challenger can easily answer these queries for the adversary. Because 
the challenger initializes the system and he knows the master key. So he 
can use signer ID as private key to sign message m and use the receiver 
IDb^s public key to verify the signature a faithfully according to IDGSC-IN- 
SG. The only difference is substituting the above Hash simulators for Hash 
functions. 

Simulator: Encrypt{ID 3,171), Decrypt{IDB,£) 

The challenger can get receiver IDb s public key and private key. So he 
can supply these services for the adversary. Also the Hash functions in the 
scheme use the above Hash simulators. 

Simulator: GSC{IDa, IDB,m), GUC{IDa, IDb,5) 

The challenger can get sender IDas public key and private key and re- 
ceiver IDb's public key and private key. So he can supply these services for 
the adversary. Here, the Hash functions also use the above Hash simulators. 
Exp 2 
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In this experiment, we will remove the layer of encryption and reduce 
the signcryption scheme to PSG scheme. In the Setup phase, the challenger 
initializes the system just like he does in Exp 1. In the Probe phase, besides 
following simulators, challenger acts same with Exp 1. 

Simulator: Sign{IDA,m), Verify{IDB,o-) 

Here, the challenger will follow PSG to accomplish these simulations. 
Simulator: GSC{IDa, IDB,m) 

Here, the challenger will keep another list Lg to record the GSC queries 
that the adversary asks. 

- Selects r uniformly from Z*, and computes X — rP. 

- Computes /i2 = H2{m\\IDA\\IDB) and — H2,{m\\X). 

- Computes V = r~^(/i2-P + ^3 ■ Sa)- 

- Selects hi uniformly from {0, 1}"^ x {0, 1}"^ x G*i and adds (*, hi) in List 
Li. The first element is vacant, and will be given some value later. 

- Computes y = m\\IDA\\V ® hi and adds (X, y, V, IDa, IDb, m) to List Lg. 

- Outputs ciphertext {X, y). (Here, /i2, ^3 come from the corresponding Hash 
Simulators.) 

Simulator: GUC{IDa, Wb, 6) 

- Searches {*\\IDa\\IDb, *) in the list L2, if such a record {ttiWIDaWIDb, /i2) 
is found, goes to the next step. Else, returns ±. 

- Searches (m||*, *) in the hst L3, if such a record hs) is found, goes 
to the next step. Else, returns _L. 

- Searches (X, *, *, IDa, IDb, m) in the list Lg, if such a record {X, y, V, I Da, 
IDB,fn) is found, goes to the next step. Else, returns _L. 

- Checks that e(X, V) = e(P, P)''^ ■ e{Ppub, QaY'^ if not, returns ±. 

- Else computes w — e{X, Sb) and hi—y® m\\IDA\\V. 

- Searches (*, /^i) in the list Li, if such a record is found, the first element 
defined to be w and returns m. Else, returns _L. 

Now we discuss the difference between Exp 1 and Exp 2. The adversary 
can distinguish Exp 1 with Exp 2 if following events happened. Firstly, 
during the Signcrypt query, if the adversary has made the query Hi{w), 
where w happened to be the vacant value of some record. The probability 
of such event happening is at most qi/2""^. The adversary made Qg Signcrypt 
query. So the probability of such events happening is at most {qi ■ qg)/2"'^ in 
total. Secondly, during the Unsigncrypt query, if the adversary has guessed 
plaintext of some ciphertext. The probability of such event happening is at 
most l/(2"'2 . 2"'i • 2"'3). The adversary made Qu Unsigncrypt query. So the 



16 



probability of such events happening is at most g„/(2"2 . 2"i • 2"^) in total. 
Let 5*1 denote adversary can attack successfully in Exp 2. So, we have: 
I Pr(5o) - Pr(-Si)| < {qn, ■ g,)/2'^^ + qj(2^^ ■ 2^^ ■ 2^^) 

Appendix B. Proof of Theorem 4 

Weak BCDH problem. (^1,+) and (G'2- ') ai'c two cycle groups of 
prime order g, P is a generator of Gi, e : Gi x Gi ^ G2 is a bilinear map 
between Gi and G2. Given (P, aP, 6P, cP, ^P), where a,h,c E Z*, the strong 
BDH problem is to compute e(P, P)"*"^. 

Proof. If there is an IND-CCA2 adversary A of IDGSC in the sign- 
cryption mode, then the challenger G can use it to solve the strong BDH 
problem. Let (P, aP, 6P, cP, ^P) be an instance of the weak BCDH problem 
that C wants to solve. At first, C runs the Setup{l^) algorithm to produce 
parameters params. It sets the public key as Ppub — cP, although it doesn't 
know the master key c. And then C sends {params, Ppub) to the adversary 
A. 

Besides the four lists Lj,i = 0,1,2,3, Challenger G also needs to keep 
another list Lg which are used to record answers to the Signcrypt query. 
Phase 1 

Simulator: Hq{IDu) 

At the beginning, G chooses 4 uniformly at random from 1, ...go- We 
assume that A doesn't make repeat queries. 

- If i = ift responds with Hq^IDjj) = bP and sets IDjj = ID},. 

- Else chooses k uniformly at random from Z*; computes Qu — kP and 
Su = kPpub] stores {IDu, Qu, Su, k) in Lq and responds with Qu- 

Simulator: Hi{w) 

- Searches {w, hi) in List Li. If such a pair is found, returns hi. 

- Otherwise chooses hi randomly from {0, 1}"^ x {0, l}'*^ x G^, and puts 
{w,hi) into Li and returns hi. 

Simulator: H2im\\IDi\\ID2) 

- Searches {m\\IDi\\ID2, /12) in List L2. If such a pair is found, returns /i2- 

- Otherwise chooses /t2 randomly from Z*, and puts (m| |/Z>2, /i2) into 
L2 and returns /i2- 

Simulator: Hs{m\\X) 

- Searches (m||A, h^) in the list L3. If such a pair is found, returns h^. 

- Otherwise chooses h^ randomly from Z*, and puts (m||X, /is) into L3 and 
returns /ia. 
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Simulator: Extract{IDy) 

Wc assume that A makes the query Hq[IDu) before it makes extract 
query for IDu- 

- If IDu = -^-Dfe, aborts the simulation. 

- Else, searches Lq for the entry {IDu, Qu, Su, k) corresponding to IDu, and 
responds with Su- 

Simulator: Sign{IDi,m) 

We assume that A makes the query Hq[IDi) before Sign{IDi,m) query. 
Case 1: IDiy^ IDb 

- Find the entry (/-Di, Qi, Si, k) in Lq. 

- Selects r uniformly from Z*, and computes X = rP. 

- Computes /i2 = Il2{m\\IDi\\0) and — Il2{'m\\X). 

- Computes V = r^^(h2P + h'i • Si). 

- Outputs (X, m| I V). (Here Hi, i = 2,3, comes from the simulator 
above. ) 

Case 2: IDi = IDi, 

- Selects r uniformly from Z*, and computes X = rPpub- 

- Computes /12 = -f^2('^| |0) and = i?3(m||X). 

- Computes V = r-\h2 ■ ^P + hs ■ bP). 

- Outputs {X,m\\IDi\\V). (Here Hi, i — 2,3, comes from the simulator 
above. ) 

Simulator: Verify{IDi,a) 

- Computes h2 = H2{m\\IDi\\0), If {m\\IDi\\0, h2) ^ L2, returns ±. 

- Computes = H3{m\\X), If (m||X, h^) ^ L3, returns _L. 

- If IDi ^ Lq, returns ±; else computes Qo = Hq{IDi). 

- Checks that e{X,V) = e{P,PY^ ■ e{Ppub,Qif^, if not, returns ±. Else, 
returns T. 

Simulator: Encrypt{ID2,m) 

Wc assume that A has made the Hq{ID2) query before Encrypt{I D2, m) 
query. 

- Selects r uniformly from Z*, and computes X — rP. 

- Computes h2 = H2(m\\Q\\ID2) and /i3 = H3{m\\X). 

- Computes V = r^^h2P. 

- Computes Qb = Ho{ID2) and w = e{Ppub, Q2Y- 

- Computes hi — Hi{w) and y = m\\0\\V © hi. 

- Outputs (X, y).(Here Hi, 1=0,1,2,3, comes from the simulator above.) 

Simulator: Decrypt{ID2,s) 

We assume that A makes the query Hq{ID2) before Decrypt{ID2,e). 
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Case 1: /D2 ^ 

- Find the entry (/-D2) Q2: S2, k) in Lq. 

- Computes w = e{X, S2) and hi = Hi{w). 

- If {w, hi) ^ Li, returns ±. Else, computes m\\0\\V = y (B hi. 

- Computes /i2 — -H'2("^| |0| I/-D2), If ("^| |0| I/D2, ^2) ^ ^2, returns ±. 

- Computes h^ = H'^{m\\X), If (m||X, h^) ^ L3, returns ±. 

- Checks that e(X, V) — e{P, P)'^^, if not, returns ±. Else, returns m. 
Case 2: ID2 = IDb 

Step through the list Li with entries {w, hi) as follows: 

- Computes m||0||V = y®hi. 

- If m||0||/D2 e i^2, computes /i2 = -f^2("^||0||/D2); else moves to the next 
entry in Li and begin again. 

- If m\\X G L3, computes — H^{m\\X)] else moves to the next entry in 
Li and begin again. 

- Checks that e(X, V) = e{P, PY''^. If so, returns m; else moves to the next 
entry in Li and begin again. 

- If no message has been returned after stepping through Li, return ±. 

Simulator: Signcrypt{IDi, ID2,m) 

We assume that A makes the query Hq[IDi) and Hq[ID2) before making 
signcrypt query using identity IDi and ID2. 
Case 1: IDi ^ ID^ 

- Find the entry (/-Di, Qi, -S*!, k) in Lq. 

- Selects r uniformly from Z*, and computes X = rP. 

- Computes /i2 = -f^2(^| 1/1^2) and hs = H3{m\\X). 

- Computes V = r'^hiP + h^Si). 

- Computes Q2 = Hq{ID2) and w = e(Pp„6, Q2Y ■ 

- Computes hi = Hi{w) and y = m\\IDi\\V © hi. 

- Outputs (X, I/). (Here H^, 1=0,1,2,3, comes from the simulator above.) 
Case 2: IDi = IDb 

- Find the entry (/-D2, Q2, S2, k) in Lq. 

- Selects r uniformly from Z*, and computes X — rPpuh- 

- Computes /i2 = -ff2(^| I/-D2) and /13 = i?3(m||X). 

- Computes V = r~\h2 • + /is ■ 6P). 

- Computes w = e{X, S2), hi = Hi{w) and y = mWlDiWV © hi. 

- Outputs (X, y).(Here Hi, i=l,2,3, comes from the simulator above.) 

Simulator: Unsigncrypt{I Di, ID2, e) 

We assume that A makes the query Hq{IDi) and Hq{ID2) before making 
this query using these identities. 
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Case 1: /D2 ^ 

- Find the entry (/-D2) Q2: S2, k) in Lq. 

- Computes w = e{X, S2) and hi = Hi{w). 

- If {w, hi) ^ Li, returns ±. Else, computes m| = y ® hi. 

- Computes /i2 = -f^2('^| I/-D2), If ('^l I/-D2, /i2) ^ -^2, returns ±. 

- Computes hz — H2,{m\\X), If {m\\X,hz) ^ L3, returns ±. 

- If IDi = ID2 or /Di ^ Lq, returns ±; else computes Qi = Hq{IDi). 

- Checks that e{X,V) = e{P,Pf^ ■ e{Ppub,Qi)''^ if not, returns ±. Else, 
returns m. 

Case 2: /D2 = 

Step through the hst Li with entries {w, hi) as follows: 

- Computes m| = y ® hi. 

- If IDi = ID2 or JDi ^ Lq, moves to the next entry in Li and begin again; 
else computes Qi = Hq{IDi). 

- If m\\IDi\\ID2 G 1/2, computes /i2 = -f^2(^| I/-D2); else moves to the 
next entry in Li and begin again. 

- If m\\X G I/3, computes h^ — Hz{'m\\X); else moves to the next entry in 
Li and begin again. 

- Checks that e{X, V) = e(P, P)^^ ■ e{Ppub, Qi)^^- If so, returns m; else moves 
to the next entry in Li and begin again. 

- If no message has been returned after stepping through Li, return ±. 

Challenge. At the end of Phase 1, the adversary A outputs two iden- 
tities, I Da and IDb^ two messages, rrii and 1712. If IDs 7^ IDi,^ aborts 
the simulation; else it sets X* = aP and then chooses 7 G {0, 1}, and 
y* G {0, 1}"^ X {0, X Gl at random. At last, it returns the challenge 
ciphertext S* = {X*,y*) to A. 

Phase 2. 

The queries made by in Phase 2 are responded in the same way as those 
made by in Phase 1. Here, the queries follow the restrictions that are defined 
in Game 6. 

Guess. 

At the end of Phase 2, A outputs a bit 7 . If 7 =7, the challenger C 
outputs the answer to the weak BCDH problem: 
w* = e{X*,SB) = e{P,P)''^^ 

Let's analyze the probabihty that the simulation can succeed. There are 
two simulators need to be noted. First, in the challenge stage, the simulator 
hopes that the adversary chosen ID^ as the target recipient identity. This will 
be the case with probability at least 1/go- If this is not the case, there will be 
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an error when the adversary tried to make query Extract{ID}^). Second, in 
Phase 2, if the adversary makes query Hi{w = e(P, PY^^)^ the simulation will 
fail. However, with probability 1/gi the challenger can guess the answer of 
weak BCDH problem from the records in List Li. From the above remarks 
we conclude that the challenger can solve the weak BCDH problem with 
probability at least: Adv'2u7sf-l-so{t,p)/{qQ.qi)- 
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